I have a FreeBSD machine with an inclusive IPF firewall. However, I have realized now this is blocking (outbound) ftp.
There is active and passive ftp. Active ftp is a no-go, as that would mean the client needs to allow inbound traffic on an unknown port. But with passive ftp, it seems the client needs to allow outbound traffic on an unknown (data) port (suggested by the server). So if you have an inclusive firewall that won't work.
The FreeBSD handbook has the following comments in their example of "a very secure inclusive type of firewall":
This seems to suggest ftp should work, but I find that is not the case. Am I missing something?
There is active and passive ftp. Active ftp is a no-go, as that would mean the client needs to allow inbound traffic on an unknown port. But with passive ftp, it seems the client needs to allow outbound traffic on an unknown (data) port (suggested by the server). So if you have an inclusive firewall that won't work.
The FreeBSD handbook has the following comments in their example of "a very secure inclusive type of firewall":
Code:
# Allow out gateway & LAN users' non-secure FTP ( both passive & active modes)
# This function uses the IPNAT built in FTP proxy function coded in
# the nat rules file to make this single rule function correctly.
# If you want to use the pkg_add command to install application packages
# on your gateway system you need this rule.
pass out quick on dc0 proto tcp from any to any port = 21 flags S keep state
This seems to suggest ftp should work, but I find that is not the case. Am I missing something?